Therefore, anyone offering Facebook/Google login will also have to accept Apple's anonymized forwarded email addresses, like fc452bd5ea@privaterelay.appleid.com.
But this explicitly doesn’t work as an SSO. How can I tie that back to the actual email address they would have used to create an account using their FB / Google account?
This sounds like a tremendous headache that I really don’t want to worry about. But Apple is looking to leverage their power in the app market to force me to implement a tool I may not be interested in as a merchant?
I despise being strong armed. I hope the EU crushes this.
It seems the email part is optional (ie you can choose to share your verified email with the company if you want).
The above scenario goes against what they are trying to achieve though
1) If you support SSO and email/password - then the email and password are still stored (and possibly not hashed and salted if the developer is incompetent) - so you are at risk of compromise if you reuse passwords
2) If you store the users actual email, you are putting them at risk of credential stuffing, as well as opening them up to tracking
The EU can always surprise, but I suspect they would actually like this because it addresses key risks to consumers of password reuse, credential stuffing, and tracking. Additionally it competes against their ideological targets, Facebook and Google.
EU is not picking on FB and Google specifically. This mindset is toxic. They are picking on all monopolies for European customers and have been for a long time. Basically we believe the market is not healthy if there isn’t any competition.
This is a bit rose tinted outlook. GDPR does not increase competition, the amount of regulation in EU and worker protections in place raise barriers for new competitors. France has laws that prohibit new movies from being put on Netflix in order to support local distributors etc.
Not saying what the EU does is goos or bad, but painting it as pro free market competition seems unfounded.
GDPR isn’t about addressing monopolies. It’s about addressing privacy and data ownership.
Every tech related legislation doesn’t and shouldn’t need to so,be every tech related problem. The EU has other, non GDPR related, mechanisms to handle monopoly issues.
My point is EU will adopt regulation that actively harms competition (such as GDPR), because they have different priorities (e.g. privacy, data ownership as you mentioned).
So to me it seems unfounded to say EU cares about market health and is not, in fact, just picking on FB and Google.
I am honestly curious what you think are examples of EU mechanisms fostering healthy markets. Maybe the MS case but that is the same “EU picks on US tech giant” genre.
Presumably it’s always the same address every time they sign in. It is used for single sign on after all!
However, I wish email and sms would go away as a way to authenticate. Until it does I will be using foo+aliashere@gmail.com so that my account can’t get transferred to someone else through socially engineering a tired rep.
But someone who has already signed up via FB is going to click that button and then get angry when we can’t log them into their account.
I personally don’t use FB login. And I use `+merchant` to keep track of bad actors. But from a merchant perspective this will likely be a chore. And Apple has decided that we don’t get to decide if it’s worth it. We can’t disable FB login because we’ve supported it for a long time and a ton of accounts only have a FB-synced profile.
To be clear, it’s not the product I have issue with. It’s the draconian ultimatum that because we are in bed with FB we have to also get in bed with Apple Sign In.
They could have just built this into their form system. It already recommends my personal email / credit card / auto generated password. Why not prepopulate / suggest an Apple-generated email? Why force the merchant to implement another standard which breaks all other SSO integrations _by design_?
I don’t have answers to those questions. If this was a consumer feature embedded into their keyboard I’d be ecstatic. Strong arming merchants to implement and bear the full cost of confused consumers who can’t seem to login to their app _even when they click the Apple button_ is inexplicable (to me).
"+merchant" doesn't do squat to prevent bad actors from selling your email address. Anyone so inclined to sell your address would just strip off the postfix since they know it's unnecessary per the spec.
One of the many advantages of using a hosted solution with your own domain is that you can receive email from arbitrary addresses in the same inbox. For example merchant1@inboxname.mydomain.com gets sent to my inbox at Fastmail. inboxname@mydomain.com doesn't exist, so there's no way to get my "real" email address from what I give out to merchants. If I start getting spam on an address, whoops, you and everyone you sold my email to get sent to a black hole in the cloud.
Gmail ignores (or ignored?) dots on the left of the @, so some.person@gmail.com and someperson@gmail.com and s.om.e.person@gmail.com all went to the same inbox. That is gmail-specific.
Because thousands of people already have an account tied to a specific email and are going to click the Apple button and get really mad when we can’t log them in.
Apparently they want to use it, otherwise they wouldn’t, right? This way they can have the easy login using Face ID and you can use the account they already have.
You send information to the apple address, that's what its for. You can still send it invoices or a magic link, the user gets it and clicks on it, nothing is changed in that regard. The difference is they can turn off that email address and never hear from you again if that is what they want.
Stuff sent to the fake email address will be forwarded to the user’s real email address, from what I understand. So you will still be able to communicate with them.
this is the same problem you get from any identity provider — what happens when you finally delete your facebook? — it's just more obvious with Apple. With a 97% satisfaction rate, most iPhone users don’t want to go anywhere else… but yes, if you want to stay free, you should always create credentials directly with any app or service you use, when possible.
That said, the concept of "Apple Sign-In" for Android and other platforms is an interesting one, not likely in the short term, but possible someday!
I'm speculating here, but Apple Sign-In for Android would work just fine if the sign-in process was based on an OAuth flow where the credentials are entered into a web form. From the limited details I've seen that sounds like how Apple Sign In will work.
A service supporting alternate identity providers via OAuth (Facebook, Twitter, Google, Github) via a flow like this shouldn't have trouble with Apple Sign In from a web page, iOS app, or Android app.
It is not about deleting accounts or moving over. Heavy user has multi-device setup, I use Android tablet, iPhone, Mac and sometimes PC, some appliances like Synology with bundled apps also. Nowdays even my printer has online sign in, for file sharing apps. I expect same account to work everywhere. If they provide reasonable platform-independent email solution, it may work.
Yes, but while I can choose to log in with facebook, or google, or whatever, it appears that Apple are mandating that app providers use the Apple sign-in, which means app users no longer get to choose.
Unless I'm misunderstanding what the mandatory part is.
They are mandating that if you offer any other authentication provider (e.g. Facebook, Google, etc), that you have to offer Apple sign-in as an option as well.
The option is mandatory. End users using it is optional.
If the policy is "if you offer one or more authentication providers, you must include Apple sign-in", while it's still a little harsh, I think it's much more defendable and reasonable.
Only if they grandfather existing apps. We made the decision a long time ago to support FB login. That decision now requires us to either stop having an app in iOS, remove FB login (which a good portion of people use exclusively), or implement a new authentication provider _that won't work for people that already have an account with us_.
Again, the tech is fine. The strong-arm is indefensible.
I expect the disposable email will end up in Keychain, and you can export from there. Not the most user-friendly thing, but doable. Well, at least on a Mac.
This sounds like a tremendous headache that I really don’t want to worry about. But Apple is looking to leverage their power in the app market to force me to implement a tool I may not be interested in as a merchant?
I despise being strong armed. I hope the EU crushes this.